Living-off-the-COM-Type-Coercion-Abuse: achieve stealthy command execution by abusing implicit type coercion

by · Published · Updated

COM Type Coercion Execution in PowerShell

This technique leverages PowerShell’s .NET interop layer and COM automation to achieve stealthy command execution by abusing implicit type coercion. A custom .NET object is defined in PowerShell with an overridden .ToString() method. When this object is passed to a COM method such as Shell.Application.ShellExecute, PowerShell implicitly calls .ToString(), converting the object to a string at runtime.

The technique exploits the automatic conversion of objects to strings via the .ToString() method when interacting with COM methods. This creates an execution path that may bypass traditional security monitoring tools focused on direct PowerShell command execution.

command execution

Key Components

  • Custom Class Definition: Creating a class that overrides the standard .ToString() method to return a command string rather than typical object information.
  • PowerShell Type Coercion: Leveraging PowerShell’s automatic type conversion system.
  • COM Object Execution: Using the ShellExecute method of the Shell.Application COM object.

Download

Tags: